It's my first post after a while of being offline ,hopefully to be worth the delay .
A couple of days ago ,while i was surfing facebook pages ,one of my friends posted about 2 ~ 5 successful posts on my wall .They weren't some usual games/apps links ,they were a url to an external link to some kind of spamming pages ( humm .. unusual ) .
My friend -whom using Chrome browser- did some fuzzing on that site ,and found that ,when somebody clicks that link ,it takes the victim to an external site ,that site is in turkish language and has a button inside ,which when clicked ,downloads and installs automatically a Chrome's extension which in turn makes use of all user data gathered ,and makes use of the facebook account by spreading his worm worldwide .
So now ,a lot of questions can be asked here :
-What is that site ?
-How is it able to take advantage of my facebook account ( or other data ) ?
-What kind of data can be gathered by this worm ?
All these questions can be answered after doing a tiny analysis on the process and steps of this worm .
First of all, let's start by doing the same steps of a user who is going to click on that link ,the shared url is :
When we click on that url ,we are taken to a page that looks like this :
Weird enough !!
The story starts when clicking on that button ( Guncelle ) .When looking into the source code of this page ,we will find that this whole page is just an iframe ,which underneath exists the real malicious site which is :
[/code]What this code actually does is simply ,checking on what browser the victim is surfing the page on ,by checking the SIP userAgent header ,and after that it redirects the user to the valid page based on his browser .
Here ,and because my friend was running chrome ,it will redirect us to :
alert("Birazdan Çikan Pencerede Ekle Butonuna Tiklayiniz!");
[/code]Again ,it's checking if the victim is running Chrome ,if no it redirects him back to the index page which is the main site running beyond the iframe ,which in turn will see what browser is he running from and redirects him to the valid page ,otherwise ,it executes chrome.webstore.install() function .
So what does this function mean ?! As Chrome's developers page shows :
Once you've published your app or extension, you may be wondering how users will find and install your app. For users who browse the Chrome Web Store and find your item, its a very easy one-click process to install it. However, if a user is already on your site, it can be cumbersome for them to complete the installation - they would need to navigate away from your site to the store, complete the install process, and then return.The prototype of this inline function looks like this :
As of Google Chrome 15, you can initiate app and extensions installations "inline" from your site. These apps and extensions are still hosted in the Chrome Web Store, but users no longer have to leave your site to install them.
It's similar to a "google api" for web applications .It takes three parameters ,we will concentrate on the most important one which is the url from which the function will get the application from .Now when we return to kur() function , we can notice that it's getting an application named : Live Broadcast ,which can do the following as its main webstore page details :
chrome.webstore.install(url, successCallback, failureCallback)
- Your data on all websites
- Data you copy and paste
- Your browsing history
- Your list of installed apps, extensions, and themes
- Your tabs and browsing activity
And that way ,the worm works and can let the hacker make use of the data anyhow he wants .
It's too dangerous to click on any link you see ,specially from unknow senders or at social sites ,make sure that you know what you are clicking on ,as well as whom sent it before actually clicking on it.
[~]Special thanks go to Eyad Warraky for discovering the worm ,as well as letting me do this beautiful worm analysis ,Thx ;-)